Application Properties

System properties influence the behavior of the system. Administrators use them to set timeout values, url addresses, processing settings, and many other properties.

System properties can be set:

  • in the ohi-oig.properties file

  • by the Properties API.

A new Oracle Insurance Gateway release may have a different set of properties that is supported.

The Property Definitions Integration Point contains the list of all available properties.

The following tables describe all properties. The property names are formatted for readability, note that the property names and associated values should always be specified on one line in the properties file. Refer to Property Management for more information on setting a property.

Australian Localization

The below table lists the generic system properties for Oracle Insurance Gateway in the context of Australian localizations.

Name Description Default Value Possible Values Change Effective

ohi.as2805_a.claim.
origin

MANDATORY
A value for this system property is required and identifies the origin of a 0200-170000 or a 0200-171000 request in the context of AS2805_A. This mandatory property reflects the proprietary name of AS2805_A.

Boolean

After Restart

ohi.as2805_a.provider.
reference.prefix

MANDATORY
A value for this system property is required and identifies the prefix value used for the provider reference in the context of AS2805_A.

PROVIDER

Immediate

ohi.as2805_b.claim.
origin

MANDATORY
A value for this system property is required and identifies the origin of a 0200-170000 request in the context of AS2805_B. This mandatory property reflects the proprietary name of AS2805_B.

Boolean

After Restart

ohi.as2805_b.provider.
reference.prefix

MANDATORY
A value for this system property is required and identifies the prefix value used for the provider reference in the context of AS2805_B.

PROVIDER

Immediate

ohi.integration.
australia

A value of true means that the Australian module will be activated at system start-up.

false

Boolean

After Restart

ohi.integration.
australia.eclipse.
client.identifier

Client identifier as provided during software registration

String

Next Execution

ohi.integration.
australia.eclipse.
device.name

Device name as given / used during device registration

String

Next Execution

ohi.integration.
australia.eclipse.
expiry.times.timezone

The time zone for device and key expiry times.The identifier usually has the format region/city, e.g. Australia/Sydney

Australia/Sydney

String

Next Execution

ohi.integration.
australia.eclipse.jwt.
assertion.aud

JWT Assertion audience

https://proda.
humanservices.gov.
au

String

Next Execution

ohi.integration.
australia.eclipse.jwt.
assertion.sub

JWT Assertion sub name, usually the same as the software instance or device name

String

Next Execution

ohi.integration.
australia.eclipse.key.
expiry.time.margin

Safety margin in seconds for key expiry time

3600

Integer ≥ 1

Next Execution

ohi.integration.
australia.eclipse.
organization.identifier

Organization identifier as used during device registration

Integer ≥ 1

Next Execution

ohi.integration.
australia.eclipse.ping.
header.audit.id

The class of the audit(id) while pinging agency

WEB00001

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.audit.id.type

The class of audit(type) user specified while pinging agency

Location Id

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.ibm.client.id

x-ibm-client-id used while pinging agency

http://humanservices.
gov.au/PRODA/org

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.location.id

The class of the location(id) while retriving token also used in the dhs-correlationId

WEB00001

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.product.id

Product id used while pinging agency

ECLIPSE API V1.0

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.subject.id

The class of subject user(id) specified while pinging agency

WEB00001

String

Next Execution

ohi.integration.
australia.eclipse.ping.
header.subject.id.type

The class of the subject(type) while retrieving token

Fund Location Id

String

Next Execution

ohi.integration.
australia.eclipse.ping.
request.url

Eclipse ping request URL.

String

Next Execution

ohi.integration.
australia.eclipse.
refresh.key.url

ECLIPSE Refresh Device Key URL. The specified value requires placeholders org_id and device_name. At runtime, the system replaces the placeholders with the values of system properties ohi.integration.australia.eclipse.organization.identifier and ohi.integration.australia.eclipse.device.name respectively. Sample value: https://some.host.gov.au/context_root/api/b2b/v1/orgs/org_id/devices/device_name/jwk

String

Next Execution

ohi.integration.
australia.eclipse.
service.provider.<0>

Service Provider for a REST Delivery Integration Step.The placeholder is the REST Client ID for the Integration Step

String

Next Execution

ohi.integration.
australia.eclipse.
service.provider.<0>.
audience

The placeholder value is the REST Client ID for the Integration Step which is defined as destination code.

String

Next Execution

ohi.integration.
australia.eclipse.si.
activation.url

ECLIPSE Software Instance Activation URL. The specified value requires a placeholder device_name.At runtime, the system replaces the placeholder with the value of system property ohi.integration.australia.eclipse.device.name. Sample value: https://some.host.gov.au/context_root/api/b2b/v1/devices/device_name/jwk

String

Next Execution

ohi.integration.
australia.eclipse.
softwareinstance.name

Name of the Software Instance

String

Next Execution

ohi.integration.
australia.eclipse.token.
header.audit.id.type

The class of audit user specified while retriving token

http://humanservices.
gov.au/PRODA/org

String

Next Execution

ohi.integration.
australia.eclipse.token.
header.subject.id.type

The class of the subject while retriving token

http://humanservices.
gov.au/PRODA/device

String

Next Execution

ohi.integration.
australia.eclipse.token.
url

ECLIPSE Token Endpoint URL

String

Next Execution

Base-view Generator

Name Description Default Value Possible Values Change Effective

ohi.baseview.generation.
worker.count

The number of worker threads to start for a base view generation process

8

Integer ≥ 1

Immediate

Cache Control

Name Description Default Value Possible Values Change Effective

ohi.httpapi.cache.
control.cachesetting.
metadata

This property specifies the code of a OHI_RESOURCE_CACHE_SETTING for metadata settings. See ohi.httpapi.cache.control.enable.

String

Next Execution

ohi.httpapi.cache.
control.enable

Property to enable HTTP API Caching, which is disabled by default. When enabled, HTTP API will add a Cache-Control header in the response it sends.

false

Boolean

Next Execution

ohi.process.cache.
disabled

This property enables or disables business process cache facilities.

false

Boolean

Next Execution

ohi.process.cache.push_
wait

The time in milliseconds to back-off invalidating the business process cache for consecutive bursts of invalidations.

250

Integer ≥ 0

After Restart

Callout Properties

The following table lists properties used by the REST callout client:

Name Description Default Value Possible Values Change Effective

ohi.rest.client.logging

Enable or Disable logging for rest clients. When "true" will log traffic to external system.

false

Boolean

Immediate

ohi.service.client.
cache.size

The rest client cache size.

500

Integer ≥ 1

Immediate

Cross Origin Resource Sharing

See the Security Guide for an introduction to Cross Origin Resource Sharing (CORS). For further explanation the reader is referred to W3C’s CORS specification.

The following table lists CORS related properties:

Name Description Default Value Possible Values Change Effective

ohi.cors.access.control.
allow.origin

MANDATORY
Comma-separated list of allowed origins. The value '*' effectively allows all origins.

String

Next Execution

ohi.cors.access.control.
allow.credentials

Header that shows whether the system can expose the response to a request when the omit credentials flag is unset. When this is part of the response to a preflight request, it shows that the actual request can include user credentials.

true

Boolean

Next Execution

ohi.cors.access.control.
allow.headers

Header that shows, as part of the response to a preflight request, which header field names can be useful for during the actual request. Allows all headers by default. The value is a comma-separated list of allowed headers.

String

Next Execution

ohi.cors.access.control.
allow.methods

Header that shows, as part of the response to a preflight request, which methods the system can use during the actual request. Allows all methods by default. The value is a comma-separated list of allowed methods.

String

Next Execution

ohi.cors.access.control.
expose.headers

Header that shows which headers are safe to expose to the API of a CORS API specification. The value is a comma-separated list of all exposed headers.

String

Next Execution

ohi.cors.access.control.
max.age

Header that shows how long the preflight result cache stores the results of a preflight request, number representing seconds.

1800

Integer ≥ 0

Next Execution

ohi.vary.header

Property to set Vary HTTP Header. Value is a comma-separated list

Accept,Accept-
Encoding,Accept-
Language,Origin

String

Next Execution

Data Exchange

Name Description Default Value Possible Values Change Effective

ohi.application.uri.<0>

MANDATORY
Reference to URI of the source application to retrieve data-sets metadata to be processed. Either "CONF" or "PRD" as values replace the <0>. It is possible to define multiple URI’s, with ";" separating each.

String

Next Execution

ohi.cm.concurrency.limit

This property specifies the number of parallel threads in configuration migration tool for export and import processes. For better performance results, we recommend the value of this system property to be equal to the number of CPUs (core). For example, if there are six CPUs and each of them is single-core, then this property must be six

2

Integer ≥ 1

After Restart

ohi.cm.dynamiclogic.
import.maxretrycount

Some Dynamic Logic can refer to another Dynamic Logic and if the Dynamic Logics are not imported in the correct order, the compilation will fail. If this happens, the CMT process retries the failed Dynamic Logic. This property specifies how many times the Dynamic Logic Import retries before marking it as errored. We suggest to use a value between one and nine.

3

Integer ≥ 0

Next Execution

ohi.cm.dynamiclogic.
retry.import.batch.size

The number of records from the failure table that the CMT process reads at once during retry processing.

100

Integer ≥ 0

Next Execution

ohi.cm.
highvolumeentities.
export.page.size

The system uses this property in the export process and it represents the number of high volume entities (For example, Procedure Group detail) to read at a time. We recommend setting this value to N * 1000, where N is the number of JVMs.

1000

Integer ≥ 1

Next Execution

ohi.<0>.endpoint.request

Allows for web service client interactions to identify their request URI destination. The system uses this property to get the URI for the end point. The notification key replaces the <0>. Sample value is http://machine.domain:port/<0>.

String

Next Execution

Data Set Operations

Name Description Default Value Possible Values Change Effective

ohi.datasetoperations.
notification.endpoint.
export

This property is about the Data Set Operations Integration Point, for export usages. It contains a URI that refers to the notification message, once the process of uploading the data set payload completes this message is sent.

String

Next Execution

ohi.datasetoperations.
notification.endpoint.
import

This property is about the Data Set Operations Integration Point, for import usages. It contains a URI that refers to the notification message, once the process of uploading the data set payload completes this message is sent. Error messages prevent the import from happening.

String

Next Execution

Destination Address

Name Description Default Value Possible Values Change Effective

address.key.<0>

Used for defining the address key property. The <0> is replaced by the particular address key of Destination

String

Immediate

Dynamic Logic

Name Description Default Value Possible Values Change Effective

ohi.dynamiclogic.
classes.directory

Path to directory in which the system places the generated Dynamic Logic classes.

/tmp

String

Next Execution

ohi.dynamiclogic.
startup.compile

An optional property that determines whether to compile the Dynamic Logic (those who are not compiled before) at the startup of the application or not.

true

Boolean

Next Execution

ohi.dynamiclogic.timeout

An optional property that determines the timeout of a running Dynamic Logic. If the timeout expires, the system interrupts the Dynamic Logic and throws an exception. The value is in seconds. Please note that when you add/update a Dynamic Logic timeout property, the Dynamic Logic needs to recompile for the property change to take effect. You can do this by using the "Invalidate Dynamic Logic Integration Point" that we explain in the Integration Guide.

300

Integer ≥ 0

Next Execution

ohi.dynamiclogic.
timeout.<0>

An optional property that determines the timeout of the running Dynamic Logic. If the timeout expires, the system interrupts the Dynamic Logic and throws an exception. The value is in seconds. This property is for a particular Dynamic Logic code, so replace the placeholder <0> with the Dynamic Logic code for which you want to specify the timeout. Please note that when you add/update a Dynamic Logic timeout property, the Dynamic Logic needs to recompile for the property change to take effect. You can do this by using the "Invalidate Dynamic Logic Integration Point" that we explain in the Integration Guide. If this property is not set, it takes the value of ohi.dynamiclogic.timeout (which in its turn has a default of '300').

Integer ≥ 0

Next Execution

Logging Support

Name Description Default Value Possible Values Change Effective

ohi.logging.fileset.max.
timespan

Maximum time in days between start and end time for bundling log events in a file set

2

Integer ≥ 1

Immediate

ohi.logging.phi.min.
retentionperiod

Minimal number of days for retaining PHI log events

1825

Integer ≥ 1

Immediate

ohi.logging.target

Determines whether logging persists to the database or uses any configured Logback Appender. Possible values are 'database' and 'log' respectively

log

String

Next Execution

Incident Reports

Name Description Default Value Possible Values Change Effective

ohi.incident.
datafileset.
retentionperiod

Whenever OHI Incident storage in datafile sets activates, this property defines the number of days that the system will keep OHI Incident datafile sets, and remove OHI Incident datafile sets that are older.

10

Integer ≥ 1

After Restart

ohi.incident.rootdir

OHI Components makes use of the Logback library for generating log output. In the event of an unanticipated application exception, the system writes more detailed exception trace information to an individual exception trace file. This property controls the location of these exception trace files. By default, the location 'target/trace' is relative to the directory where the WebLogic server starts. When changing the value for this property, make sure that the OS user that executes the WebLogic server processes needs to create (and read/write files in) the directory that the property refers to.

target/trace

String

After Restart

ohi.incident.target

OHI Incident files can be stored in the database, in a datafile set. Whenever you set this property to "datafileset" this feature activates. Otherwise, the default mechanism of writing incident files to an OS file system directory. The OHI Incident datafile sets will have a Code with a following pattern: "OHIIncidents<yyyyMMdd>". Note that the value for this property must be set in the properties file, not using properties API.

file

"file" or "datafileset"

After Restart

Integration

Name Description Default Value Possible Values Change Effective

ohi.<0>.application.
baseurl

MANDATORY
This is the default URL for accessing the application. It is used to construct the links included in asynchronous responses and notifications. It includes the machine or load balancer, the domain, and a port number. The placeholder <0> in this property name must specify the application name. The various API requests that start an asynchronous process can take a custom header parameter that overrides the value of this property. In this case, the base URL is derived from the request, instead of this property.

String

After Restart

ohi.<0>.deeplink.url

MANDATORY
The base URL of an application for ADF/JET UI deep linking URL formation. It includes the machine or load balancer, the domain and a port number. It is mandatory to set a correct link in the deep linking URL. The application name must replace the Placeholder <0>. An example of the value is http://localhost:7001.

String

After Restart

ohi.http.api.path

The context root of the application. For example, /<application>-ws/api. We do not anticipate for this property to be hot reloadable.

api

String

Next Execution

ohi.max.redirect.count

Maximum number of redirections that a particular external invocation take

10

Positive integer

Immediate

ohi.timeout.
maxRepeatAttempts

Determines how many times a a timeout task will check if the underlying work is complete

3

Integer ≥0

Immediate

<0>-timeAllowed

This key stores the time allowed for an external system to complete the long running process after which the exchange tries to find the status of the process using the location header stored with the key above. The placeholder should be replaced with the suitable integration step code. Example key is: invokeActivityStep-timeAllowed

Integer ≥ 1

Immediate

Blocking Integration Interaction Pattern

The following properties are used by the system to provide the notion of seemingly blocking integration interaction. The system automatically adjusts the pool size according to the bounds set by 'ohi.exchange.await.core.poolsize' and 'ohi.exchange.await.max.poolsize'.

Name Description Default Value Possible Values Change Effective

ohi.exchange.await.core.
poolsize

If fewer threads are running, a new thread is created to handle the request, even if other worker threads are idle. Default is 2 times the number of available processors/CPU cores.

Integer ≥0

Immediate

ohi.exchange.await.max.
poolsize

If there are more than ohi.exchange.await.core.poolsize but less than ohi.exchange.await.max.poolsize threads running, a new thread will be created only if the queue (having a maximum size of 2147483647) is full. Typically this means that with a value of 40, at most there will be 40 threads available for 'async await'.

40

Integer ≥0

Immediate

ohi.exchange.await.poll.
frequency.<0>

It indicates the polling frequency for an integration for blocking exchange. <0> will be replaced by the actual integration code. The section Tuning polling frequency for blocking invocation provides the description and impact of this property.

1000

Positive integer

Immediate

ohi.exchange.blocking.
timeout.max

The maximum amount of time the system will wait for an asynchronous exchange to be completed. In case the timeout is not specified on the exchange header. Specified in milliseconds.

5000

Integer ≥0

Immediate

ohi.exchange.scheduler.
poolsize

Specifies a numeric value that indicates the pool size for thread that should execute scheduler based integrations.

10

Integer ≥0

Immediate

Intrusion Detection

Oracle Health Insurance applications safeguard against Cross-Site Scripting (XSS) attacks by checking "untrusted" data that may be entered in HTTP API requests (see the Security Guide for intrusion detection principles). Detection behavior can be customized using the properties that are listed in the following table:

Name Description Default Value Possible Values Change Effective

ohi.untrusteddata.check

The application enables the XSS vulnerability detection by default. Disable it bysetting the value for this parameter to false. You should use this property if other components in the landscape perform vulnerability detection.

true

Boolean

Next Execution

ohi.untrusteddata.
domain.attribute.length

The system checks the domain attributes of type string by default if the length ≥ 30 characters. To be more stringent, decrease the default value using this property.

30

Integer ≥ 1

Next Execution

ohi.untrusteddata.
whitelist.
domainattribute

The system checks the domain attributes by default. Use this property to define a comma-separated list of excluded customer-specific attributes from intrusion detection checking. Format: <DOMAIN OBJECT SIMPLE NAME>.<ATTRIBUTE NAME>.

String

Next Execution

ohi.untrusteddata.
whitelist.httpheader

The property checks the HTTP Headers by default. Use this property to define a comma-separated list of customer-specific headers that need exclusion from intrusion detection checking. Format: <HEADER NAME>,<HEADER NAME>.

String

Next Execution

ohi.untrusteddata.
whitelist.queryparameter

The system checks HTTP Query Parameters by default. Use this property to define a comma-separated list of customer-specific query parameters that need exclusion from intrusion detection checking. Format: <QUERY PARAMETER NAME>,<QUERY PARAMETER NAME>.

String

Next Execution

For example, to prevent mixed encoded Cookies that a client like a browser sends as part of the request to result in a Bad Request, allow the Cookie header as follows:

ohi.untrusteddata.whitelist.httpheader=Cookie

Monitoring and Metrics

Name Description Default Value Possible Values Change Effective

ohi.instrumentation.
common.application.tag

Set to true to tag each metric with the name of the application.

false

Boolean

After Restart

ohi.instrumentation.
filter.ohi.nameprefix

Set to false to enable recording of non-OHI metrics.

true

Boolean

After Restart

ohi.instrumentation.
gather.
applicationmetrics

Set to true to enable recording of metrics.

false

Boolean

Immediate

ohi.instrumentation.
gather.jvmtelemetry

Set to true to enable recording of JVM telemetry.

false

Boolean

After Restart

ohi.instrumentation.
resourceclienttimer.
segment.prefixes

Comma-separated list of resource path segment prefixes for resource client timers that the system interprets as not being the last segment of the resource path.

Comma-
separated string,
e.g. api,oig-api,
policies-ws

After Restart

ohi.instrumentation.<0>.
histogram

Determines whether to publish histogram buckets for the timer you configure.

false

Boolean

After Restart

ohi.instrumentation.<0>.
percentiles

Percentiles for the timer you configure.

Comma-
separated string,
e.g. 0.5,0.75,0.
95,0.99

After Restart

ohi.instrumentation.<0>.
regex

The system publishes data for the timer if the tag name that you specify as property ohi.instrumentation.<0>.regex.tagname matches this regular expression.

Regular expression

After Restart

ohi.instrumentation.<0>.
regex.tagname

Tag name subject to testing with the regular expression that you specify as property ohi.instrumentation.<0>.regex. The system publishes data for the timer if the tag name matches the regular expression.

String

After Restart

See the Operations Guide for more details about metrics related properties.

Properties File Poll Interval

Name Description Default Value Possible Values Change Effective

ohi.properties.file.
poll.interval

Changes made to any of these properties are not immediately picked up by the application. That only happens when it reads the properties-file again. This property specifies how often the system will read the file, in minutes. Default value, every 10 minutes. Minimum value, 1 minute. Values lower than that are ignored, meaning the default value is used.

10

Integer ≥ 1

Next Execution

Purge Notification Properties

Name Description Default Value Possible Values Change Effective

ohi.purge.notification.
endpoint

The base URI of the system that is going to receive notification events.

String, as URL

Immediate

ohi.purge.notification.
endpoint.<0>

This overrides any value that has been specified for ohi.purge.notification.endpoint for the specific {PURGE TYPE}. Possible purge types: 'PurgeEvent', 'PurgeExchange', 'PurgeTechnicalData'.

String, as URL

Immediate

Secrets Store

Name Description Default Value Possible Values Change Effective

ohi.oauth.cert.signing.
algorithm

Determines the signing algorithm for X509 certificates that the OHI applications use to sign the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where it uses the JWT as assertion). OHI applications only supports RSA algorithms currently.

SHA512withRSA

String

Immediate

ohi.secure.secrets.store

The type of store the OHI application uses for secrets

One of the following: opss,
vault

After Restart

ohi.vault.address

Vault address. Must use HTTPS.

String

After Restart

ohi.vault.clientkeypem.
url

Resource URL to Vault Client Key pem. A matching value for system property ohi.vault.clientpem.url must accompany this property

String

After Restart

ohi.vault.clientpem.url

Resource URL to Vault Client pem. A matching value for system property ohi.vault.clientkeypem.url must accompany this property

String

After Restart

ohi.vault.environment.
identifier

To distinguish secrets on a per OHI application instance basis

String

After Restart

ohi.vault.jkskeystore.
password

Password for JKS keystore that contains certificates A matching value for system property ohi.vault.jkskeystore.url must accompany this property

String

After Restart

ohi.vault.jkskeystore.
url

Resource URL to JKS keystore that contains certificates. A matching value for system property ohi.vault.jkskeystore.password must accompany this property

String

After Restart

ohi.vault.jkstruststore.
url

Resource URL to JKS truststore that contains certificates

String

After Restart

ohi.vault.kv.secrets.
engine

By default, OHI applications assume that Vault’s Key-Value secrets engine is enabled at root path "secret". The Key-Value secrets engine is used to store arbitrary secrets within the physical storage for Vault you configure.

secret

String

After Restart

ohi.vault.namespace

OHI specific Vault namespace section, under the path determined by properties {ohi.vault.kv.secrets.engine}/{ohi.vault.namespace} to look for secrets

ohi

String

After Restart

ohi.vault.pem.url

Resource URL to Vault pem

String

After Restart

ohi.vault.token

Vault token

String

Next Execution

Single Sign-On and Web Gate

The following table lists properties that need to be set when an Oracle Health Insurance application take part in Single Sign-On (SSO) scenarios or when Oracle Health Insurance applications are fronted by a gateway that is responsible for handling authentication:

Name Description Default Value Possible Values Change Effective

ohi.security.sso.enabled

The application will check for an SSO header, and if it does not find one, it will present the user with a login screen.

false

Boolean

Next Execution

ohi.security.sso.header

The header value in which to check for an SSO principal if servlet security does not map it.

OAM_REMOTE_USER

String

After Restart

ohi.security.sso.
required

The application will reject traffic without an SSO header.

false

Boolean

Next Execution

Task Processing

Name Description Default Value Possible Values Change Effective

ohi.processing.
attemptLogLevel

A non-zero value for this property means that the system retains data (That is, extra_info) for failed attempts.

0

Integer ≥ 0

Next Execution

ohi.processing.
defaultdelay

Default amount of delay in seconds when a failed task re-queues for another attempt. The system can override this property if a delay is set on the task type.

3

Integer ≥ 0

Next Execution

ohi.processing.filldepth

Specifies a target number of work items to process at a time - to best utilize processing capacity. We suggest a value that is a multiple of the number of CPU cores available to the managed server. The system will take the maximum of 2x the number of processors available to the JVM and the value of this property (which has in its turn a default of 3).

3

Integer ≥ 0

Next Execution

ohi.processing.
fillthreshhold

Determines the number of tasks that the system submits for processing. Suggested is a value that is 1 less than the number of CPU cores available to the managed server. The system will take the maximum of the number of processors available to the JVM minus 1 and the value of this property (which has in its turn a default of 1).

1

Integer ≥ 1

Next Execution

ohi.processing.
maxErrorAttempts

Number of times a task can resolve as 'errored' before it stops a task flow.

3

Integer ≥ 0

Next Execution

ohi.processing.
maxIncompleteAttempts

Determines how many times a specific incomplete task will reschedule for processing, before marking it as 'errored'.

10000

Integer ≥ 0

Next Execution

ohi.processing.
retryimmediate

Determines if a failed task retries immediately, or re-queues for another attempt after a delay.

true

Boolean

Immediate

ohi.startup.start.task.
processing

Controls task processing for a managed server. By default, if a managed server that executes an OHI Components application starts, then it will start processing tasks from the work backlog queue. You can override the default behavior by setting command-line parameter ohi.startup.start.task.processing; if it is set to false, a managed server that executes the OHI Components application will not process tasks after it starts. The default value is true, meaning the managed server that executes the OHI Components application will start processing tasks from the work backlog queue after it starts.

true

Boolean

Next Execution

Specifically for Oracle Insurance Gateway, Oracle recommends setting the value for ohi.processing.fillthreshhold to the value of ohi.processing.filldepth + 1. Rationale: tasks in Oracle Insurance Gateway may take a relatively large amount of time to complete. As the application only fetches additional work from the queue if the fill depth drops below the fill threshold, these longer running tasks can prevent the system from fully utilizing its processing capacity.

Using OAuth2 for REST Client Invocations

REST Clients in Oracle Health Insurance applications can be configured to send requests to OAuth2 protected resources. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header. See the Security Guide for further details about OAuth2 support in Oracle Health Insurance applications.

The following table lists OAuth2 REST Client and server side properties.

Name Description Default Value Possible Values Change Effective

ohi.oauth.accesstoken.
expiry.time.delay

To model the overhead of fetching an access token from an OAuth2 authorization server for caching the access token in the REST client. For example, to account for some network delay between the client and the authorization server. For example, if the authorization server returns a token with an expiry time of 3600 seconds and if the network delay is 100 ms, then you can configure 100 ms for this key. The system will cache the resulting access token for the original expiry time minus overhead time, that is, 3600000 - 100 = 3599900 ms. You must specify the value in milliseconds.

10

Integer ≥ 0

Immediate

ohi.oauth.jwk.set.url

The URL value for the OAuth2 authorization server JSON Web Key (JWK) Set endpoint. The OAuth2 authorization server must support RFC 7517. Token Validation Method is JWKSET.

String, URL

After Restart

ohi.oauth.jwk.set.
validation.audience

Client Id or audience claim for Token Validation. Token Validation Method is JWKSET.

String

After Restart

ohi.oauth.jwk.set.
validation.issuer

Issuer for Token Validation. Token Validation Method is JWKSET.

String or URL

After Restart

ohi.oauth.jwk.set.
validation.jws.signing.
algorithm

Signing algorithm that the Authorization Server uses. Token Validation Method is JWKSET.

RS256

String

After Restart

ohi.oauth.jws.signing.
algorithm

Algorithm for signing the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWTis used as an assertion). Note that it only supports RSA algorithms.

RS512

RS256, RS384, RS512

Immediate

ohi.oauth.jwt.
expiration.period

Expiration period (in seconds) for the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as an assertion) .

600

0 ≤ Integer ≤ 9999

Immediate

ohi.oauth.jwt.userid.
claim

Specifies the claim in the JWT that can identify the user for which the system creates the OAuth2 access token. Token Validation Method is JWKSET.

sub

String

Immediate

ohi.oauth.openidconnect.
accesstoken.client_id

Client ID of the OpenID Connect client that has to be present to acquire an access token.

String

Immediate

ohi.oauth.openidconnect.
accesstoken.credential

Credential associated with the OpenID Connect client that has to be present to acquire an access token.

String

Immediate

ohi.oauth.openidconnect.
accesstoken.validation.
clockskew

Defines the maximum acceptable clock skew (in seconds) for validating timestamps of ID tokens that an OpenID Provider issues.

60

Integer ≥ 1

After Restart

ohi.oauth.token.
introspection.endpoint.
client_id

Unique Client Id for resolving the username and password credentials. When calling the OAuth2 authorization server token validation or introspection endpoint, the system uses this unique Client Id to construct the Basic Authentication Authorization header. Token Validation Method is OAUTH2_ENDPOINT.

String

Immediate

ohi.oauth.token.
introspection.endpoint.
url

The URL value for the OAuth2 authorization server token validation or introspection endpoint. It assumes that the endpoint supports Basic Authentication. Token Validation Method is OAUTH2_ENDPOINT.

String, URL

After Restart

ohi.oauth.token.
introspection.response.
username

Specifies the RFC 7662 defined Introspection Response element to derive the username from. Token Validation Method is OAUTH2_ENDPOINT.

sub

String

Immediate

ohi.oauth.token.issuer.
<0>

For Token Validation. Specific issuer identifier. Requires use of properties ohi.oauth.token.issuers and ohi.oauth.token.issuer.<0>.user.claim.

String or URL

After Restart

ohi.oauth.token.issuer.
<0>.user.claim

For Token Validation. Issuer-specific user claim. Requires use of properties ohi.oauth.token.issuers and ohi.oauth.token.issuer.<0>.

String

After Restart

ohi.oauth.token.issuers

For Token Validation. Comma-separated string of possible token issuers. Requires use of properties ohi.oauth.token.issuer.<0> and ohi.oauth.token.issuer.<0>.user.claim.

Comma-
separated string,
e.g. oracle_idcs,
azure_ad

After Restart

ohi.oauth.token.
validation.method

Determines the access Token Validation Method. Possible values: JWKSET: The resource server validates the OAuth2 access tokens . Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. The source of the JWK Set is an endpoint that an OAuth2 authorization server exposes. Use this method to validate ID tokens that an OpenID Provider issues.OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662.

JWKSET

JWKSET, OAUTH2_
ENDPOINT

Immediate

Claims in an OAuth2 token may differ per token issuer. The following example demonstrates mapping a specific claim in an access token to Oracle Health Insurance User based on the issuer of the token:

# configure multiple token issuers as comma-separated string
ohi.oauth.token.issuers=oracle_idcs,azure_ad

# configure issuer to user claim mapping for issuer oracle_idcs
ohi.oauth.token.issuer.oracle_idcs=https://identity.oraclecloud.com/
ohi.oauth.token.issuer.oracle_idcs.user.claim=sub

# configure issuer to user claim mapping for issuer azure_ad
ohi.oauth.token.issuer.azure_ad=https://sts.windows.net/fa15d692-e9c7-4460-a743-29f29522229/
ohi.oauth.token.issuer.azure_ad.user.claim=oid

User Interface

Name Description Default Value Possible Values Change Effective

ohi.environment.
identifier

Text string on the home page of the system that helps the user to identify the environment. Samples are 'User Acceptance Test' or 'Development'.

ohi

String

Next Execution

ohi.jsui.cmt.payload.
max.items.limit

This property is used to provide maximum number of items that can be included in a CMT payload

300

Integer ≥ 1

Immediate

ohi.jsui.formatted.
address.organization

This property is used to display the formatted address in context of a organization

String

After Restart

ohi.jsui.formatted.
address.person

This property is used to display the formatted address in context of a person

String

After Restart

ohi.ui.accessToken.root.
url

The webgate URL root (Required for CSP whitelist).

String

After Restart

ohi.ui.accessToken.url

The webgate URL to access accessToken resource.

String

After Restart

ohi.ui.api.
authentication.method

Authentication mechanism for the JET UI. One of OAuth, BasicAuthentication, WebGate (in case a gateway handles authentication) or OpenID (in case OpenID Connect is used - see below table for more properties).

Oauth

String

After Restart

ohi.ui.api.
authentication.oauth.
clientId

The clientId is the public identifier for the JET UI. Mandatory when using OAuth. Not applicable when not using OAuth. Has no default value.

String

After Restart

ohi.ui.backEnd.root.url

The base URL for accessing web services, typically includes the machine or loadbalancer, the domain and a port number.

String

After Restart

ohi.ui.backEndURL

Fully qualified URL for HTTP API resources. The path in the URL should include the context root for HTTP API resources. The default context root for HTTP API resources is '/api'. Note that this could be a load balancer URL and / or that the default context root might have been overwritten using a deployment plan.

String

After Restart

ohi.ui.httplink.<0>

This property is used for defining the address of the http link. <0> to be replaced by a custom identifier to give more context to the http link configuration.

String

Immediate

ohi.ui.logout.url

The URL used by Oracle JET to actively logout a user (session)

String

After Restart

ohi.ui.session.timeout

The timeout is the time (in milliseconds) after which the current user session expires and displays 'The page has expired' warning dialog. Clicking OK re-directs the user to the login page. The default value is set to 1hr (3600000 ms). A value of 0 means never timeout.

3600000

Integer ≥ 0

After Restart

ohi.ui.waitTime

The waitTime is the time (in milliseconds) between entering a character in a search field, and the search firing. Applies to quick search and LOV, suggested is 1500.

1500

Integer ≥ 1

After Restart

ohi.ui.webgate.logout.
url

Logout from WebGate/SSO external provider

/logout

String

After Restart

ohi.ui.webgate.url

OAM URL (Required for CSP whitelist).

String

After Restart

Specifically for OpenID Connect Support

The following table lists user interface related properties, specifically for OpenID Connect support:

Name Description Default Value Possible Values Change Effective

ohi.oauth.idp.uri

You need to set a system property to the IDP (IDentity Provider) URL to acquire the OpenID Connect configuration. Set this property when ohi.oauth.use.openidconnect is set to 'true'.

String

After Restart

ohi.oauth.use.
openidconnect

When set to true, it indicates that Oracle JET UI leverages OpenID Connect authentication.

false

Boolean

After Restart

ohi.security.oauth.
callback

Specifies the OpenID Connect callback URL to invoke after authentication of the user through OpenID Connect takes place, but before an access token is obtained.

oidc/callback

String

After Restart

ohi.security.oauth.
cookie.maxage

This property determines the time (in seconds) until the the OAUTH authentication cookie expires.

3600

Integer ≥ 1

After Restart

ohi.security.oauth.
cookie.name

This property specifies the name of the shared cookie, which stores the OpenID connect authentication information.

OHI_SHARED_AUTH

String

After Restart

ohi.security.oauth.
cookie.path

This property specifies the path of the OHI OAUTH Session Cookie. This path must exist in the requested URL, or the browser won’t send the Cookie header.

/

String

After Restart

ohi.security.oauth.
cookie.secure

This property determines if the OAUTH authentication cookie is set to 'secure'. When set to true, the cookie is only sent to the server when the system makes a request with the 'https:' scheme.

false

Boolean

After Restart

ohi.security.oauth.
frontend

Specifies the base URL of the JET Application that needs to be secure (For example, https://host:8909/oig).

/

String

After Restart

ohi.security.oauth.
logout

Specifies the OpenID Connect URL to invoke after a user selects to logout from the UI.

oidc/logout

String

After Restart

Web Service Settings

Name Description Default Value Possible Values Change Effective

ohi.ws.client.
retrytimeout

MANDATORY
The time in milliseconds that the system will wait before it makes another attempt to access a failing service. A value of 0 means no timeout before retrying.

1000

Integer ≥ 0

After Restart

ohi.ws.fileimport.
filesrootdirectory

MANDATORY
Use this property to give the root directory path that the File Import uses. This is for security reasons, it ensures that the files are in a specific area only.

String

Next Execution

ohi.ws.api.default.
pagesize

Number of items fetched in a HTTP API request.

50

Integer ≥ 1

Next Execution

ohi.ws.client.
connectiontimeout

The time in milliseconds before the attempt to connect to an outbound service times out. A value of 0 means never timeout.

60000

Integer ≥ 0

Immediate

ohi.ws.client.
maxconnectionsperhost

The maximum number of concurrent connections the HTTP client will allow to a certain host at any given moment.

2

Integer ≥ 1

Immediate

ohi.ws.client.
maxtotalconnections

Sets the maximum number of total concurrent connections the HTTP client will allow at any given moment.

20

Integer ≥ value of ohi.
ws.client.
maxconnectionsperhost

Immediate

ohi.ws.client.
readtimeout

The time in milliseconds that the client will wait for the server to respond to the request. A value of 0 means never timeout.

60000

Integer ≥ 0

Immediate

ohi.ws.last.login.
update.threshold

The number of hours that need to pass between logins before updating the user’s last login timestamp. By default, the last login timestamp will not update more than once per hour. This only applies to logins through a web service, not the ADF UI.

1

Integer ≥ 1

Next Execution

Some additional service settings:

Name Description Default Value Possible Values Change Effective

ohi.service.client.pool.
active

Enable or disable to leverage connection pool functionality

true

Boolean

After Restart

ohi.service.client.pool.
destination.
maxconnections

The maximum number of connections in the pool per destination. Effective immediately for non-cached clients.

64

Integer ≥ 1

After Restart

ohi.service.client.pool.
destination.maxqueued

The maximum number of connections in the pool allowed to be queued per destination. Effective immediately for non-cached clients.

1024

Integer ≥ 1

After Restart

ohi.service.client.pool.
timeout.
addressresolution

The max time, in milliseconds, to resolve the host address. Effective immediately for non-cached clients.

15000

Integer ≥ 1

After Restart

ohi.service.client.pool.
timeout.connection

The time in milliseconds before the attempt to connect to an outbound service times out. Effective immediately for non-cached clients.

15000

Integer ≥ 1

After Restart

ohi.service.client.pool.
timeout.idle

The max time, in milliseconds, a connection can be idle. Effective immediately for non-cached clients.

60000

Integer ≥ 1

After Restart

ohi.service.client.
response.content.maxsize

Maximum allowed response content size in MegaBytes (MB).

2147

Integer ≥ 1

After Restart

ohi.service.<0>.client.
authentication

This property specifies the (Jersey/REST specific) authentication mechanism to use for machine-to-machine communication. Allowable values are 'None', 'BasicAuthentication' (and 'OAuth'). The notification key replaces the <0>.

BasicAuthentication

String

Next Execution

ohi.service.<0>.client.
pool.destination.
maxconnections

The maximum number of connections in the pool per destination for client <0>. Effective immediately for non-cached clients.

Integer ≥ 1

After Restart

ohi.service.<0>.client.
pool.destination.
maxqueued

The maximum number of connections in the pool allowed to be queued per destination for client <0>. Effective immediately for non-cached clients.

Integer ≥ 1

After Restart

ohi.service.<0>.client.
pool.timeout.
addressresolution

The max time, in milliseconds, to resolve the host address. This property is specific to client <0>. Effective immediately for non-cached clients.

Integer ≥ 1

After Restart

ohi.service.<0>.client.
pool.timeout.connection

The max time, in milliseconds, a connection can take to connect to destinations. A value of 0 means never timeout. This property is specific to clientId <0>. Effective immediately for non-cached clients.

Integer ≥ 1

After Restart

ohi.service.<0>.client.
pool.timeout.idle

The max time, in milliseconds, a connection can be idle. This property is specific to client <0>. Effective immediately for non-cached clients.

Integer ≥ 1

After Restart

ohi.service.<0>.media.
type

For the notification media type. Notification key replaces the <0>.

application/json

String

Next Execution

ohi.service.<0>.method.
type

This property is for the notification method type. The notification key replaces the <0>.

POST

String

Next Execution